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| (57) Abstract 

A distributed database manage- 
ment system provides a central data- 
base resident on a server that contains 
database objects. Objects to be repli- 
cated are gathered together into dis- 
tribution packages called "slices", that 
are encrypted using a short-lived sym- 
metric key and broken into a succes- 
sion of short, numbered data packets 
before being transmitted to client de- 
vices. Data packets are captured by 
client devices and held in a staging 
area until all packets in the sequence 
are present and are then reassembled 
into the correct slice, which is then de- 
crypted, or discarded when an error is 
detected in the data packet. The source 
version, reference count, and depen- 
dencies of the received object arc ver- 
ified before adding it to the database. 
The invention provides a reaper that 
periodically examines all objects in the 
database and, depending on the object 
types, examines various attributes and 
attribute values to decide if the object 
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Distributed Database Management System 



BACKGROUND OF THE INVENTION 



TECHNICAL FIELD 

1 5 The invention relates to the storing and viewing of television program material in a 
computer environment. More particularly, the invention relates to the storage, 
distribution, and maintenance of information in a distributed self-maintaining 
database management system in a computer environment. 

20 

DESCRIPTION OF THE PRIOR ART 

A classic tension exists in the design of automated data processing systems 
between pure client-server based systems, such as computer mainframe 
25 systems or the World Wide Web, and pure distributed systems, such as 
Networks of Workstations (NOWS) that are used to solve complex computer 
problems, such as modeling atomic blasts or breaking cryptographic keys. 

Client-server systems are popular because they rely on a clean division of 
30 responsibility between the server and the client. The server is often costly and 
specially managed, since it performs computations or stores data for a large 
number of clients. Each client is inexpensive, having only the local resources 
needed to interact with the user of the system. A network of reasonable 
performance is assumed to connect the server and the client. The economic 
35 model of these systems is that of centralized management and control driving 
down the incremental cost of deploying client systems. 

However, this model has significant costs that must be considered. For instance, 
the incremental cost of adding a new client system may be quite high. Additional 
40 network capacity must be available, sufficient computihg resources must be 
available to support that client, including storage, memory and computing cycles, 
and additional operational overhead is needed for each client because of these 
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5 additional resources. As the central servers become larger and more complex 
they become much less reliable. Finally, a system failure of the server results h 
all clients losing service. 

Distributed systems are popular because the resources of the system are 
1 0 distributed to each client, which enables more complex functionality within the 
client. Access to programs or data is faster since they are located with the client, 
reducing load on the network itself. The system is more reliable, since the failure 
of a node affects only it. Many computing tasks are easily broken down into 
portions that can be independently calculated, and these portions are cheaply 
15 distributed among the systems involved. This also reduces network bandwidth 
requirements and limits the impact of a failed node. 

On the other hand, a distributed system is more complex to administer, and it 
may be more difficult to diagnose and solve hardware or software failures. 

20 

Television viewing may be modeled as a client-server system, but one where 
the server-to-client network path is for all intents and purposes of infinite speed, 
and where the client-to-server path is incoherent and unmanaged. This is a natural 
artifact of the broadcast nature of television. The cost of adding another viewer is 
25 zero, and the service delivered is the same as that delivered to all other viewers. 

There have been, and continue to be, many efforts to deliver television 
programming over computer networks, such as the Internet, or even over a local 
cable television plant operating as a network. The point-to-point nature of 

30 computer networks makes these efforts unwieldy and expensive, since 
additional resources are required for each additional viewer. Fully interactive 
television systems, where the viewer totally controls video streaming bandwidth 
through a client settop device, have proven even more uneconomical because 
dedication of server resources to each client quickly limits the size of the system 

35 that can be profitably built and managed. 

However, television viewers show a high degree of interest in choice and control 
over television viewing. 

40 It would be advantageous to provide a distributed database management 
system that enables a client to easily maintain the data in its local database and to 
synchronize said database with the main server database. It would further b e 
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advantageous to provide a distributed database management system that 
provides a secure data transmission link between a server and its clients. 



SUMMARY OF THE INVENTION 

10 

The invention provides a distributed database management system. The 
system creates a self-maintaining distributed database system that ensures that a 
consistent .subset of a central database is replicated in any number of client 
devices. In addition, the invention provides., a system that ensures that data 
1 5 transmissions between a server and client are secure.., 

A client device, typified in Application Serial No. 09/126,071, owned by the 
Applicant, provides functionality typically associated . witty central video servers, 
such as storage of a large amount of video content, ability to choose and play this 
20 content on demand, and full "VCR-like" control of the delivery of the content, as 
typified in Application Serial No. 09/054,604, owned, by the applicant. 

The invention provides a central database resident on a server that contains 
database objects. Objects to be replicated, are gathered together into 
25 distribution packages called "slices." A slice is a subset of the central database 
which is relevant to clients within a specific domain, such as a geographic region, 
or under the footprint of a satellite transmitter. 

Using standard, currently existing techniques, ranging from private data channels 
30 in digital television signals, through modulation of data onto the Vertical Blanking 
Interval (VBI) of an analog television signal, to direct connection with the server 
using a modem, slices are transmitted to the client devices, which choose 
portions of the information to save locally. 

35 The speed and periodicity of traversing the central database and generating 
slices for transmission is adjustable in an arbitrary fashion to allow useful 
cost/performance tradeoffs to be made. A slice is transmitted by breaking the 
encrypted slice into a succession of short, numbered data packets. Each slice is 
encrypted using a short-lived symmetric key before being transmitted to client 

40 devices. 

When a connection between the central database and a client device is 
established, the client device sends an inventory of previously received slices to 
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5 a transmission server. The transmission server compares the inventory with the 
list of slices that should have been processed by the client. Slices which were not 
processed are then transmitted to the client. 

Data packets are captured by client devices and held h a staging area until all 
1 0 packets in the sequence are present. The packets are then reassembled into the 
correct slice, which is then decrypted. A data packet is discarded when an error is 
detected in the data packet. Database updates are treated as transactions such 
that an entire transaction is completed or none of the transaction is completed. 
Data packets which are older than a selected time period are purged from the 
1 5 staging area on a periodic basis. 

A slice may communicate service related data to a client device or contain an 
authorization object indicating the allowable time delay before another 
authorization object is received, as well as one or more symmetric keys used to 
20 decrypt new slices which are valid for a short time period. 

If the client has not received a proper authentication object by the delay time set 
in the client's local database, then the client will commence denial of select 
services to the viewer. 

25 

The source version of the received object is compared with the source version of 
the current object when an object is received. If the received object has a higher 
source version attribute than the current object, then the received object is copied 
over the current object. Otherwise, the received object is discarded. 

30 

When a new object is received, the database is checked to see if all 
dependencies of that object are present and, if so, then the new object is added 
to the database. Otherwise, the new object is "staged"; saving it in a holding area 
until all dependent objects are also staged. 

35 

The reference count of an object is incremented by one for each object that refers 
to it. If an object which refers to other objects is deleted, then the reference count 
on all objects referred by it is decremented. If an object has a reference count of 
zero, then it will not persist in the database. 

40 

The invention provides a reaper that periodically examines all objects in the 
database and, depending On the object type, examines various attributes and 
attribute values to decide if the object should be retained in the database. 
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Periodic tasks are invoked on the server to cull uploaded objects from the 
database and to forward or dispose of them as appropriate which may result h 
new objects being added to the central database or existing objects being 
updated. Any new or updated objects are transmitted to client devices. 

Preference objects are created based on direct and indirect preferences and are 
weighted; A list of preferred programs is generated, using the preference 
objects. The, list is used to create a recording schedule which is a collection of 
recorded programs of most interest to the viewer. 



Client devices periodically connect to the server using a phone line and upload 
information of interest, such as viewing patterns, inferred characteristics, 
operational data or transactional information, relating to the viewer's purchase 
requests. This information is combined with information uploaded from other 
20 client devices to enhance the service by improving statistical models, focusing 
resources on those programs and services of most interest to the viewers, or 
alerting the service provider to potential operational problems in the client device, 
such as failing components. 

25 Other aspects and advantages of the invention will become apparent from the 
following detailed description in combination with the accompanying drawings, 
illustrating, by way of example, the principles of the invention. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
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Fig. 1 is a block schematic diagram of a preferred embodiment of a distributed 
television viewing management system according to the invention; 

Fig. 2 is a block schematic diagram of the structure of a viewing object h 
computer storage for programmatic access according to the invention; 

Fig. 3 is a block schematic diagram showing how the schema for a viewing object 
is structured in computer storage for programmatic access according to the 
invention; 

Fig. 4 is a block schematic diagram showing an example graph of relationships 
between viewing objects which describe information about programs according 
to the invention; 

Fig. 5 is a block schematic diagram showing an example graph of relationships 
generated when processing viewer preferences to determine programs of 
interest according to the invention; 

Fig. 6 is a block schematic diagram showing the scheduling of inputs and storage 
space for making recordings according to the invention; 

Fig. 7 is a flowchart showing the steps taken to schedule a recording using the 
mechanism depicted in Fig. 6 according to the invention; 

Fig. 8 is a block schematic diagram of a preferred embodiment of the invention 
showing the bootstrap system configuration according to the invention; 

Fig. 9a is a block schematic diagram of the decision flowchart for the bootstrap 
component according to the invention; 

Fig. 9b is a block schematic diagram of the decision flowchart for the bootstrap 
component according to the invention; and 

Fig. 1 0 is a block schematic diagram of the decision flowchart for the software 
installation procedure according to the invention. 
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HFTAILED DESCRIPTION OF TH E INVENTION 

The invention is embodied in a distributed database management system in a 
computer environment. A system according to the invention creates a self- 
1 0 maintaining distributed database system that ensures that a consistent subset of 
a central database is replicated in any number of client devices. In addition, the 
invention provides a system that ensures that data transmissions between a 
server and client are secure. 

1 5 The invention is embodied in a television viewing information transmission and 
collection system that improves the ability of the individual viewer to select and 
automatically timeshift television programs while providing opportunities for a 
service provider to enhance and direct the viewing experience. The invention 
describes a system which is fully distributed,' in that calculations pertaining to an 

20 individual viewer are performed personally for that viewer within a local client 
device, while providing for the reliable aggregation and dissemination of 
information concerning viewing habits, preferences Or purchases. 



25 



The Database of Television Viewing Information 



Fig. 1 gives a schematic overview of the invention. Central to the invention is a 
method and apparatus for maintaining a distributed database of television 
viewing information among computer systems at a central site 100 and an 
extremely large number of client computing systems 101. The process of 
30 extracting suitable subsets of the central copy of the database is called "slicing" 
102, delivering the resulting "slices" to clients is called "transmission" 103, 
delivering information collected about or on behalf of the viewer to the central site 
is called "collection" 104, and processing the collected information to generate 
new television viewing objects or reports is called "analysis" 107; in all cases, the 
35 act of recreating an object from one database within another is called "replication" 
105. Data items to be transmitted or collected are termed "objects" 106, and the 
central database and each replicated subset of the central database contained 
within a client device is an "object-based" database. The objects within this 
database are often termed "television viewing objects", "viewing objects", or 
40 simply "objects", emphasizing their intended use. However, one skilled in the art 
will readily appreciate that objects can be any type of data. 
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5 software when schemas are changed, added or deleted. Schema objects are 
handled the same as all other viewing objects under the methods of this 
invention. 

Referring again to Fig. 2, each object in a database is assigned an "object ID" 
10 203 which must be unique within the database. This object ID may take many 
forms, as long as each object ID is unique. The preferred embodiment uses a 
32-bit integer for the object ID, as it provides a useful tradeoff between 
processing speed and number of unique objects allowed. Each object also 
includes a "reference court" 204, which is an integer giving the number of other 
15 objects in the database which refer to the current object. An object with a 
reference count of zero will not persist in the database (see below) . 

One specific type of viewing object is the "directory" object. A directory object 
maintains a list of object IDs and an associated simple name for the object. 

20 Directory objects may include other directory objects as part of the list, and there 
is a single distinguished object called the "root" directory. The sequence of 
directory objects traversed starting at the root directory and continuing until the 
object of interest is found is called a "path" to the object; the path thus indicates a 
particular location within the hierarchical namespace created among all directory 

25 objects present in the database. An object may be referred to by multiple paths, 
meaning that one object may have many names. The reference count on a 
viewing object is incremented by one for each directory which refers to it. 



30 



Methods forth* Maintenan ^p nf Database Consistency and Accuracy 



One of the features of a preferred embodiment of the invention is to insure that 
each database replica remains internally consistent at all times, and that this 
consistency is automatically maintained without reference to other databases or 
the need for connection to the central site. There is no assurance that transmission 
35 or collection operations happen in a timely manner or with any assured 
periodicity. For instance, a client system may be shut off for many months; when 
a transmission to the system is finally possible, the replication of objects must 
always result in a consistent subset of the server database, even if it is not 
possible to transmit all objects needed to bring the central and client databases 
40 into complete synchronization. 

Even more serious, there can be no guarantee of a stable operational 
environment while the database is in use or being updated. For example, 
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5 electrical power to the device may cease. This invention treats all database 
updates as "transactions", meaning that the entire transaction will be completed, 
or none of it will be completed. The specific technique chosen is called "two- 
phase commit", wherein all elements of the transaction are examined and logged, 
followed by performing the actual update. One familiar in the art will appreciate 
1 0 that a standard joumaling technique, where the transaction is staged to a separate 
log, combined with a roll-forward technique which uses the log to repeat partial 
updates that were in progress when the failure occurred, is sufficient for this 
purpose. 

15 One required derived attribute of every object is the "version", which changes 
with each change to the object; the version attribute may be represented as a 
monotonically increasing integer or other representation that creates a monotonic 
ordering of versions. The schema for each object that may be replicated includes 
an attribute called "source version" which indicates the version of the object from 

20 which this one was replicated. 

Transmission of a viewing object does not guarantee that every client receives 
that object. For instance, while the object is being broadcast, external factors such 
as sunspots, may destroy portions of the transmission sequence. Viewing 

25 objects may be continually retransmitted to overcome these problems, meaning 
that the same object may be presented for replication multiple times. It is 
inappropriate to simply update the database object each time an object to be 
replicated is received, as the version number will be incremented although no 
change has actually occurred. Additionally, it is desirable to avoid initiating a 

30 transaction to update an object if it is unnecessary; considerable system 
resources are consumed during a transaction. 

Two approaches are combined to resolve this problem. First, most objects will 
have a basic attribute called "expiration". This is a date and time past which the 
35 object is no longer valid, and should be discarded. When a new object is 
received, the expiration time is checked, and the object discarded if it has 
expired. Expiration handles objects whose transmission is delayed in some 
fashion, but it does not handle multiple receptions of the same unexpired object. 

40 The source version attribute handles this problem. When a viewing object is 
transmitted, this attribute is copied from the current version attribute of the source 
object. When the viewing object is received, the source version of the received 
' object is compared with the source version of the current object. If the new object 
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5 has a higher source version attribute, it is copied over the ex.st.ng object, 
otherwise it is discarded. 

It is assumed that a much greater number of viewing objects are transmitted than 
are of interest to any particular client system. For example, a "channel" viewing 

1 0 object which describes the channels on a particular cable system is of no interest 
to clients attached to other cable systems. Because of the overhead of capturing 
and adding new objects.to the database, it would .be advantageous for received 
objects to be filtered on other attributes in addition to those described above. 
The invention accomplishes this by using a filtering process based on object 

15 type and attribute values; In one implementation, this filtering process is based 
on running executable code of, some kind, perhaps as asequence of commands, 
which has been written with specific knowledge of various object types and how 
they should be filtered. 

20 In a preferred embodiment of the invention. a^lteC object is defined for each 
object type which indicates what attributes are required, should not be present, or 
ranges of values for attributes that make., it acceptable for addition to the 
database. One skilled in the art will readily appreciate, that this filter object may 
contain executable code in some form, perhaps as a sequence of executable 

25 commands. These commands would examine and compare attributes and 
attribute values of object being filtered, resulting in an indication of whether the 
object should be the subject of further processing. 

Viewing objects are rarely independent of other objects. For example, a 
30 "showing" object (describing a specific time on a specific channel) is dependent 
on a "program" object (describing a specific TV program). One important aspect 
of maintaining consistency is to insure that all dependent objects either already 
exist in the database or are to be added as part of a single transaction before 
attempting to add a new viewing object. This is accomplished using a basic 
35 attribute of the new viewing object called the "dependency" attribute, which 
simply lists the object IDs and source versions of objects that the new object is 
dependent on. Clearly, new versions of an object must be compatible, in the 
sense that the schema defining new versions be the same or have a strict 
superset of the attributes of the original schema. 

40 

When a new viewing object is received, the database is first checked to see if all 
dependencies of that object are present; if so, the object is added to the 
database. Otherwise, the new object is "staged", saving it in a holding area until 
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5 all dependent objects are also staged. Clearly, in order for a new set of viewing 
objects to be added to the database, the dependency graph must be closed 
between objects in the staging area and objects already existing in the database, 
based on both object ID and source version. Once closure is achieved, meaning 
all dependent objects are present, the new object(s) are added to the database 
10 in a single atomic transaction. 

Naming and Finding Television Viewing Objects 

Directory objects have' been '''described previously. Referring to Fig. 4, the 
15 collection of directory objects, arid the directed graph formed by starting at the 
root path 400 and enumerating all possible paths to viewing objects is called a 
"namespace". In order for an object to be found without knowing a specific object 
ID, one or more paths within this namespace must refer to it. For instance, 
application software has little interest in object IDs, instead the software would like 
20 to refer to objects by paths, for instance "/tvschedule/today". In this example, the 
actual object referred to may change every day, without requiring changes in any 
other part of the system. 

One way in which a path to an object may be established is by specifying a 
25 "pathname" basic attribute on the object. The object is added to the database, 
and directory objects describing the components of the path are created or 
updated to add the object. Such naming is typically used only for debugging the 
replication mechanisms. Setting explicit paths is discouraged, since the portions 
of the central database replicated on each client system will be different, leading 
30 to great difficulty in managing pathnames among all replicas of the database. 

A preferred method for adding an object to the database namespace is called 
"indexing". In a preferred embodiment of the invention, an "indexer" object is 
defined for each object type which indicates what attributes are to be used when 
35 indexing it into the database namespace. One skilled in the art will readily 
appreciate that this indexer object may contain executable code in some form, 
perhaps as a sequence of executable commands. These commands would 
examine and compare attributes and attribute values of object being indexed, 
resulting in an indication of where the object should be located in the namespace. 

40 

Based on the object type, the indexer examines a specific set of attributes 
attached to the object. When such attributes are discovered the indexer 
automatically adds a name for the object, based on the value of the attribute, 
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5 within the hierarchical namespace represented by the graph of director.es in the 
database. Referring again to Fig. 4, a program object may have both an "actor 
attribute with value "John Wayne" and a "director" attribute, with value "John Ford" 
401 . The root directory might indicate two sub-directories, "byactor" 402 and 
"bydirector" 403. The indexer would then add the paths 7byactor/John Wayne" 
10 and "/bydirector/John Ford" to the database, both of which refer to the same 
object 401. 

A derived attribute is maintained for each object listing the directory objects which 
refer to this object 404. As the indexer adds paths to the namespace for this 
15 object, it adds the final directory ID in the path to this list. This insures closure of 
the object graph - once the object has been found, all references to that object 
within the database are also found, whether they are paths or dependencies. 

This unique and novel method of adding objects to the database has significant 
20 advantages over standard approaches. The indexer sorts the object into the 
database when it is added. Thus, the search for the object associated with a 
particular path is a sequence of selections from ordered lists, which can be 
efficiently implemented by one familiar with the art. 

25 Deleting Objects from the Database 

While the rules for adding objects to the database are important, the rules for 
removing objects from the database are also important in maintaining consistency 
and accuracy. For example, if there were no robust rules for removing objects, 
30 the database might grow unboundedly over time as obsolete objects 
accumulate. 

The cardinal rule for deleting objects from the database is based on reference 
counting; an object whose reference count drops to zero is summarily deleted. 

35 For instance, this means that an object must either be referred to by a directory or 
some other object to persist in the database. This rule is applied to all objects h 
the closed dependency graph based on the object being deleted. Thus, if an 
object which refers to other objects (such as a directory) is deleted, then the 
reference count on all objects referred to is decremented, and those objects 

40 similarly deleted on a zero count, and so forth. 



13 



PCT/USOO/06079 

wo 00/58833 objects from the database 

5 There is also an automate process wnn database, 
oaliedthe -reaper. Modta*. the -P™^^ 0 ^ attributes and . 
and depending on the obiect type, further examine . v. ^ 

rttrsr— - — - " - - - w - 

1 o and the reaper will delete the object. 
,,he preferred embodiment, 

^rren, object, and determines if me ebiec, shcuid be deleted. 

Tne overhead o, ind«e,e«ng eve* ^^^^ 
20 has been decremented^ •^^^ to ** the 

results h a transact™ wrth the database- r w operations proceed 

pedormanceimpactotreap^^ 

25 „u ia „+ A*,hn«5e reference count has been 

For instance, instead of deleting an ob,ect *«• * periodically, a 

decremented to zero. the reaper performs no *er j*^ ^ ^ 

background task called the garbage collector ex 

to a list of 

database. If the object has a reference count ^ 
30 objects to be deleted. In one 7^7*^^ objects h a single 
examined the entire database. ft would .^^.^J^y also result n 

garoage collector is a*e, resulting in even worse perfomtanc*. 

, n a preferred embodiment, the garbage c*£ — - 

series o, passes. Once a •P«*£^ ( X^ - «** "ave been 
40 deleted in a single transact^ Sa,d P«*^ ^ obi eots are 

examined. This technique does not guarantee * , ^ 
oollected during the examine^ P^~^£ found , however , the next 
objects previously examined. These objects wm 
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5 ^m°e thTgarbage collector runs. The number of objects deleted in each pass is 
adjustable to achieve acceptable performance for other database activities. 

op^tionc nn the Dist rih..teH Television Viewing Object Databa se 

10 r-nn^iriPrations in Maintaining th e D i stribute d Viewing Object Database 

The replication of television viewing objects among the instances of the 
distributed database necessarily requires the transmission of objects over 
unreliable and unsecure distribution channels. 



15 



For example, if the objects are transmitted over a broadcast mechanism,, such as 
within a radio or television transmission, there can be no assurance that the data is 
transmitted accurately or completely. Weather, such as rainstorms, may cause 
dropouts in the transmission. Other sources of interference may be other 
20 broadcast signals, heavy equipment, household -appliances, etc. 

One skilled in the art will readily appreciate that there are standard techniques for 
managing the transmission of data over unreliable channels, including repeated 
transmissions, error correcting codes, and others, which may be used for 
25 transmission, any or all of which may be used in any particular instance. 

For efficiency, objects to be replicated are gathered together into distribution 
packages, herein called "slices". A slice is a subset of the television v.ew.ng 
object database which is relevant to clients within a specific domain, such as a 
30 geographic region, or under the footprint of a satellite transmitter. 

Security of these slices is quite important. Slices are used to add objects to the 
database which are used to provide valuable services to users of the database, 
as well as to store information that may be considered private or secret. Because 

35 of the broadcast-oriented nature of slice transmission, slices may be easily 
copied by third parties as they are transmitted. A practical solution to these 
problems is to encrypt the slice during transmission. An ideal reference text on 
the techniques employed in the invention is "Applied Cryptography: Protocols, 
Algorithms, and Source Code in C" by Bruce Schneier, John Wiley and Sons, 

40 1995. 
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S ™Serred embodiment o, me invention, a secure, encnypted channel > 
established using techniques *»r to those described h U.S. Pa,. Sena No 
4 405,829, often described as asymmetric key encryption, or sometimes 
public/private key pair encryption. A practitioner skilied in the art J* 
protocols based on asymmetric key enc W «ion seives as a reliable and effiaen. 

0 founded .or authentic o, Cent devices and secure d,,nbut nj 
information. In general, auftienfcaton is provided using an 
messages between the dien. and «M systems. Secure MUn> 
provided by encrypting a» communications using a short-lived symmetnc key 
sent during an authentication phase. 

5 successful security requires that sender and receiver agree M"*"* ° n J» 
asymmetric key pair to be used .or encryption. Such key 
weakest Ink h any cryptographic system for protecting fctronic 
Applicarion Serial No. 09/357,183, entmed "Sel,-Tes, Bectronic 

■0 Test System," filed July 19, 1999, also owned by the Applicant descnbes « 
mechanism whereby the dfent device generates the asymmeftK key p. 

generated is stored wftl* a secure microprocessor embedded «ta me ■+« 
Lice, such that the key is never presented ,o e=demal <*v,ces.me pu* key 
>5 thus generated is transmifted to a local manutadurtig system wh,* re^rde *e 
key La with me client seria, number in a secure database. Th,s databas ,s _l*r 
securely transmitted to me central distribution system, where r. ,s used to perform 
secure communications with the client. 

30 This unique and novel application of key generation solves me problem o, M<ey 
distribution, as me private key is never presented ^^"T™^ 
client, where it might be discerned using special tools, such as , tape ana^en 
Instead H may only be used will* me security microprocessor (self to decrypt 
messages origin^ encrypted w«h the public key, the resu»s o, «** are men 

35 provided to external components. 

The remainder ofthis discussion assumes ma. a. common* etions be«,een dien, 
and central systems are authenticated and encrypted as desenbed above. 

40 T, a „ am minn View 'TI " h i °^ ,he nifir " S V S '^ S 
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5 Referring again to Fig. 1 , in a preferred embodiment of the invention the following 
steps constitute "transmission" of television viewing objects from the central 
database using slices: 

1 . There may be many mechanisms for transmitting slices to the universe of 
1 o client viewing devices. For instance, the slices may be directly downloaded 

over a telephone modem or cable modem 1 09, they may be modulated into 
lines of the Vertical Blanking Interval (VBI) of a standard television broadcast 
108 , or added to a digital television multiplex signal as a private data channel. 
One skilled in the art will readily appreciate that any .mechanism which can 
1 5 transmit digital information may be used to transmit slices of the television 
viewing object database. 

The first step in preparing television viewing objects for, transmission is 
recognizing the transmission mechanism- to he used for this particular instance, 

20 and creating a slice of a subset of the database that is customized for that 
mechanism. For example, the database .may contain television viewing 
objects relating to all programs in the country. However, if television viewing 
objects are to be sent using VBI modulation on a local television signal, only 
those television viewing objects relating to programs viewable within the 

25 footprint of the television broadcast being used to carry them should be 
contained within the relevant slice. Alternatively, if some of the television 
viewing objects contain promotional material related to a particular geographic 
region, those objects should not be transmitted to other geographic regions. 

30 In a preferred embodiment of the invention, the speed and periodicity of 

traversing the database and generating slices for transmission is adjustable in 
an arbitrary fashion to allow useful cost/performance tradeoffs to be made. For 
instance, it may only be necessary to create slices for certain transmission 
methods every other day, or every hour. 



35 



The final step in preparing each slice is to encrypt the slice using a short-lived 
symmetric key. Only client devices which have been authenticated using 
secure protocols will have a copy of this symmetric key, making them able to 
decrypt the slice and access the television viewing objects within it. 



40 
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7 OnS a s,ioe is complete, it is copied to the point a, which the "amission 
2 - nXism can taKe and send the data HO. For *pho = e*n,me 
sfce is placed on a telephony server 1 1 1 wh,ch provdes the data .to, ach 

until a new slice is provided for transmission. 

This repetitive broadcast of slices is required because there can be no 
assurance mai y interference with 

; .ime-based usage tees, making it desirable to m,n,m,ze the t,me spent 
transmitting the slice. 

This is accomplished using a two-step process- 

estab.ished, the Cient system sends with the 

0 slices to telephony servers 1 1 1 . The se ^°^ s , ices which 

list of slices that should have been processed by that client. * 
were not processed are transmitted to the client system. 

J5 short numbered data pack** Th P ^ ^ 

and held in a staging area until all pacKeis in me M 

objects reliably into the client. 
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5 The invention keeps track of the time at which data packets are received. 

Data packets which are older than a selected time period are purged from the 
staging area on a periodic basis; this avoids consuming space for an indefinite 
period while waiting for all parts of a slice to be transmitted. 

1 o Especially when transmitting the objects over a broadcast medium, errors of 
various kinds may occur in the transmitted data. Each data packet is stamped 
with an error detecting code (a parity field or CRC code, for example). When 
an error is detected the data packet is simply discarded. The broadcast 
carousel will eventually retransmit the data packet, which is likely to be 

1 5 received properly. Slices of any size may thus be sent reliably; this is 

achieved at the cost of staging received portions of the object on the client 
until all portions are properly received. 

4. There may be one or more "special" slices transmitted which communicate 
20 service related data to the client system, particularly service authorization 

information. It is important that the service provider be able to control the client 
system's access to premium services if the viewer has failed to pay his bill or 
for other operational reasons. 

25 One particular type of special slice contains an "authorization" object. 

Authorization objects are generally encrypted using asymmetric key 
encryption based on the public/private key pair associated with a specific 
client. If the slice can be successfully decrypted by the security 
microprocessor using the embedded private key, the slice will contain an 

30 object indicating the allowable time delay before another authorization object 

is received, as well as one or more symmetric keys valid for a short time 
period. The delay value is used to reset a timestamp in the database 
indicating when the client system will stop providing services. The symmetric 
keys are stored in the local television viewing object database, to be used in 

35 decrypting new slices which may be received. 

If the client has not received a proper authentication object by the time set in 
the database, it will commence denial of most services to the viewer (as 
specified by the sen/ice provider). Also contained within an authentication 
40 object are one or more limited-lifetime download keys which are needed to 
decrypt the slices that are transmitted. Clearly, if a client system is unable to 
authenticate itself, it will not be able to decrypt any objects. 



19 



WO 00/58833 



PCT/US00/06079 



Each authorization slice is individually generated and transmitted. If broadcast 
transmission is used for the slices, all relevant authorizations are treated 
identically to all other slices and carouseled along with all other data. If direct 
transmission is used, such as via a phone connection, only the authentication 
slice for that client is transmitted. 

5. Once the client device has received a complete database slice, it uses the 
methods described earlier to add the new object contained within it to the 
database. 

Collecting Information from the Client Systems 

Referring again to Fig. 1 , in a preferred embodiment of the invention the following 
steps constitute "collection" ,of television viewing objects from each client 
database: 

1 . As the viewer navigates the television channels available to him, the client 
system records interesting information, such as channel tuned to, time of 
tuning, duration of stay, VCR-like actions (e.g., pause, rewind), and other 
interesting information. This data is stored in a local television viewing object. 

Additionally, the viewer may indicate interest in offers or promotions that are 
made available, or he may indicate a desire to purchase an item. This 
information is also recorded into a local television viewing object. 

Additionally, operation of the client device may result in important data that 
should be recorded into a television viewing object. For example, errors may 
occur when reading from the hard disk drive in the client, or the internal 
temperature of the device may exceed operational parameters. Other similar 
types of information might be failure to properly download an object, running 
out of space for various disk-based operations, or rapid power cycling. 

2. At a certain time, which may be immediate or on a periodic basis, the client 
system contacts the central site via a direct connection 1 04 (normally via 
phone and/or an Internet connection). The client device sends a byte 
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W ° sequence identifying itself which is encrypted with its secret key. The server 
fetches the matching television viewing object for the client device from the 
database, and uses the key stored there to decrypt the byte sequence. At 
the same time, the server sends a byte sequence to the client, encrypted in 
its secret key, giving the client a new one-time encryption key for the session. 

Both sides must successfully decrypt their authentication message in order to 
communicate. This two-way handshake is important, since it assures both 
client and server that the other is valid. Such authentication is necessary to 
avoid various attacks that may occur on the client system. For example, if 
communications were not authenticated in such a fashion, a malicious party 
might create an "alias" central site with a corrupt television viewing object 
database and provide bad information to a client system, causing improper 
operation. All further communication is encrypted using the one-time session 
key. Encrypted communication is necessary because the information may 
pass across a network, such as the Internet, where data traffic is open to 
inspection by all equipment it passes through. Viewing objects being 
collected may contain information that is considered private, so this information 
must be fully protected at all times. 

Assuming that the authentication phase is successful, the two parties treat the 
full-duplex phone line as two one-way broadcast channels. New slices are 
delivered to the client, and viewing data to be collected is sent back. The 
connection is ended when all data is delivered. 

One skilled in the art will readily appreciate that this connection may take place 
over a network, such as the Internet running standard TCP/IP protocols, 
transparently to all other software in the system. 

3. Uploaded information is handled similarly by the server; it is assumed to 
represent television viewing objects to be replicated into the central 
database. However, there may be many uploaded viewing objects, as there 
may be many clients of the service. Uploaded objects are therefore assigned 
a navigable attribute containing information about their source; the object is 
then indexed uniquely into the database namespace when it is added. 

Uploaded viewing objects are not immediately added to the central 
database; instead they are queued for later insertion into the database. This 
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W ° X 8 allows the processing of the queue to be independent of the connection 
pattern of client devices. For instance, many devices may connect at once, 
generating a large number of objects. If these objects were immediately 
added to the central database, the performance of all connections would 
suffer and the connection time would increase. Phone calls are charged by 
duration, thus any system in which connection time increases as a function of 
load is not acceptable. 

Another advantage of this separation is that machine or network failures are 
easily tolerated. In addition, the speed at which viewing objects are 
processed and added to the central database may be controlled by the 
service provider by varying the computer systems and their configurates to 
meet cost or performance goals. 

Yet another advantage of this separation is that it provides a mechanism for 
, 0 separating data collected to improve service operations and date wh,ch rmght 
identify an individual viewer. It is important that such identifying data be kept 
private, both for legal reasons and to increase the trust individuals have ,n the 
service. For instance, the navigable attribute assigned to a view,ng object 
containing the record of a viewer's viewing choices may contam only the 
>5 viewer's zip code, meaning that further processing of those objects can 
construct no path back to the individual identity. 

Periodic tasks are invoked on the server to cull these objects from the 
database and dispose of them as appropriate. For example, ob,«ts 

30 indicating viewer behavior are aggregated into an overall v,ewe, -Mm* 
model, and information ma. might iden«y an individual v,ewer . d, carded 
Objects containing operational information are forwarded to an analyse task, 
which may cause customer se^ice personnel to be alerted to potent 
problems. Objects containing transactional information are forwarded to 

35 transaction or commerce systems for fulfillment. 

Any of these activities may result in new television viewing 
added to the central database, or in existing objects be,ng updated. These 
a o el wiH eventually be transmKed to client devtces. 
40 viewing management system is closed loop, creatmg a ~™ 
replicated database system 1 05 which can support any number of cl,ent 

systems. 
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Processing nf Televisio n Viewing Objects bv Client Systems 



Television viewing objects may contain the following types of information: 
television program descriptions and showing times; cable, satellite or broadcast 

10 signal originator information, such as channel numbering and identification; viewer 
preference information, such as actors, genre, showing times, etc.; software, such 
as enhanced database software, application software, operating system 
software,' etc.; statistical modeling -Information such as preference vectors, 
demographic analysis, etc.; ; and any -other arbitrary information that may be 

15 represented as digital data. . ; .. 



Methods A p plied to Program Guide Objects 



Program guide objects contain all information necessary for software running in the 
20 client system to tune, receive, record and view programs of interest to the user of 
the client system, selecting from among all available programs and channels as 
described by objects within the database. 

This program guide information is updated on a regular basis by a service 
25 provider. This is handled by the provider acquiring program guide information h 
some manner, for instance, from a commercial supplier of such information or 
other sources of broadcast schedule information. This data is then processed 
using well-understood software techniques to reduce the information to a 
collection of inter-related viewing objects. 

30 

Referring again to Fig. 4, atypical relationship between program guide objects is 
shown. A television "network" object 407 is any entity which schedules and 
broadcasts television programming, whether that broadcast occurs over the air, 
cable, satellite, or other suitable medium. A television "program" object 401 is a 
35 description of any distinct segment of a television broadcast signal, such as a 
particular program, commercial advertisement, station promotion, opener, trailer, 
or any other bounded portion of a television signal. A "showing" object 406 is a 
portion of the broadcast schedule for a network on which a program is broadcast. 
A "channel map" object maps a network broadcast onto a particular broadcast 
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5 channel for the medium being used; for instance, a channel map object for a 
satellite broadcast service would include information about the transponder and 
data stream containing the broadcast. Using the previously described methods, 



where application software in the client systems use the data to manage 
1 0 television viewing. 

The service provider may also provide aggregation viewing objects, which 
describe a set of program guide objects that are interrelated in some fashion. For 
instance, a "Star-Trek" collection might contain references to all program guide 

1 5 objects associated with this brand name. Clearly, any arbitrary set of programs 
may be aggregated in this fashion. Aggregation objects are similar to directories. 
For instance, the Star Trek collection might be found at "/showcases/Star Trek" n 
the hierarchical namespace. Aggregation objects are also program guide objects, 
and may be manipulated in a similar fashion, including aggregating aggregation 

20 objects, and so forth. 

The client system may further refine the collection of program objects. In a 
system where programming may be captured to internal storage, each captured 
program is represented by a new program guide object, becoming available for 
25 viewing, aggregation, etc. Explicit viewer actions may also result in creation of 
program guide objects. For instance, the viewer may select several programs 
and cause creation of a new aggregation object. 

This description of types of program guide objects is not meant to be inclusive; 
30 there may be many different uses and ways of generating program guide 
objects not herein described which still benefit from the fundamental methods of 
the invention. 

Program guide objects are used by the application software in five ways: 



1 . In the simplest case, the viewer may wish to browse these objects to discern 
current or soon-to-be-available programming. The application software will 
map the object relationships described by the database to some form of 
visual and audible interface that is convenient and useful for the viewer. The 



this program guide data is replicated from the central site to the client systems, 



35 
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viewer may indicate that a particular program is of interest, resulting in some 
application-specific action, such as recording the program to local storage 
when it is broadcast. 



2. Application software may also directly process program guide objects to 
1 o choose programs that may be of interest to the viewer. This process is 
typically based on an analysis of previously watched programming 
combined with statistical models, resulting in a priority ordering of all programs 
available. The highest priority programs.may be processed in an application 
specific manner, such as recording the program to local storage when it is 
1 5 broadcast. Portions of the priority ordering so developed may be presented 
to the viewer for additional selection as in case 1 . 

One skilled in the art will readily appreciate that there is a great deal of prior art 
centered on methods for selecting programming for a viewer based on 

20 previous viewing history and explicit preferences, e.g., U.S. Pat. Serial No. 

5,758,257. The methods described in this application are unique and novel 
over these techniques as they suggest priorities for the capture of 
programming, not the broadcast or transmission of programming, and there is 
no time constraint on when the programming may be broadcast. Further 

25 details on these methods are given later in this description. 

In general, explicit viewer choices of programming have the highest priority 
for capture, followed by programming chosen using the preference 
techniques described herein. 



30 



3. A client system will have a small number of inputs capable of receiving 
television broadcasts or accessing Web pages across a network such as an 
intranet or the Internet. A scheduling method is used to choose how each 
input is tuned, and what is done with the resulting captured television signal or 
35 Web page. 

Referring to Fig. 6, generally, the programs of interest to the viewer may be 
broadcast at any time, on any channel, as described by the program guide 
objects. Additionally, the programs of interest may be Web page Universal 
40 Resource Locators (URL) across a network, such as an intranet or the Internet. 
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The channel metaphor is used to also describe the location, or URL, of a 
particular Web site or page. 



A viewer, for example, can "tune" into a Web site by designating the Web 
site URL as a channel. Whenever that channel is selected, the Web site is 
displayed. A Web page may also be designated as a program of interest 
and a snapshot of the Web page will be taken and recorded at a 
predetermined time. 

The scheduler accepts as input a prioritized list of program viewing 
preferences 603, possibly generated as per the cases above. The 
scheduling method 601 then compares this list with the database of program 
guide objects 604, which indicate when programs of interest are actually 
broadcast. It then generates a schedule of time 607 versus available storage 
space 606 that is optimal for the viewer's explicit or derived preferred 
programs. Further details on these methods are given later in this description. 

4. When a captured program is viewed, the matching program guide object is 
used to provide additional information about the program, overlaid on the 
display using any suitable technique, preferably an On Screen Display 
(OSD) of some form. Such information may include, but is not limited to: 
program name; time, channel or network of original broadcast; expiration time; 
running time or other information. 

5. When live programming is viewed, the application uses the current time, 
channel, and channel map to find the matching program guide object. 
Information from this object is displayed using any suitable technique as 
described above. The information may be displayed automatically when the 
viewer changes channels, when a new program begins, on resumption of the 
program after a commercial break, on demand by the viewer, or based on 
other conditions. 

6. Using techniques similar to those described in case 2, application software 
may also capture promotional material that may be of interest to the viewer. 
This information may be presented on viewer demand, or it may be 
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5 automatically inserted into the output television signal at some convenient 
point. For example, an advertisement in the broadcast program might be 
replaced by a different advertisement which has a higher preference priority. 
Using the time-warping apparatus, such as that described in Application 
Serial No. 09/1 26,071 , entitled "Multimedia Time Warping System," filed 
1 0 July 30, 1 998, it is possible to insert any stored program into the output 

television signal at any point. The time-warping apparatus allows the overlaid 
program to be delayed while the stored program is inserted to make this 
work. 



15 Methods for Generating a List of P referred Programs 

Viewer preferences may be obtained in a number of ways. The viewer may 
request that certain programs be captured, which results in the highest possible 
priority for those programs. Alternatively, the viewer may explicitly express 
20 preferences using appurtenances provided through the viewer interface, 
perhaps in response to a promotional spot for a particular program, or even 
during the viewing of a program. Finally, preferences may be inferred from 
viewing patterns: programs watched, commercial advertisements viewed or 
skipped, etc. 

25 

In each case, such preferences must correspond to television viewing objects 
stored in the replicated database. Program objects included a wealth of 
information about each particular program, for example: title, description, director, 
producer, actors, rating, etc. These elements are stored as attributes attached to a 
30 program object. 

Each individual attribute may result in the generation of a preference object. Such 
objects store the following information: 

35 1 . The type of the preference item, such as actor or director preference; 

2. The weight of the preference given by the viewer, which might be indicated 
by multiple button presses or other means; 
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5 3. The statically assigned significance of the preference in relation to other 

preferences, for example, actor preference are more significant than director 
preferences; 

4. The actual value of the preference item, for instance the name of the director. 

10 With respect to Fig. 5, preference objects are stored in the database as a 
hierarchy similar to that described for program guide objects, however this 
hierarchy is built incrementally as preferences are expressed 500. The hierarchy 
thus constructed is based on "direct" preferences, e.g., those derived from 
viewer actions or inferred preferences. 

15 

A similar hierarchy is developed based on "indirect" preferences pointing to the 
same preference objects 501. In general, indirect preferences are generated 
when preferences for aggregate objects are generated, and are used to further 
weight the direct preferences implied by the collection of aggregated objects. 
20 The preference objects referenced through the indirect preference hierarchy are 
generated or updated by enumerating the available program objects which are 
part of the aggregate object 502, and generating or updating preference objects 
for each attribute thus found. 



25 The weight of a particular preference 503 begins at zero, and then a standard 
value is added based on the degree of preference expressed (perhaps by 
multiple button presses) or a standard value is subtracted if disinterest has been 
expressed. If a preference is expressed based on an aggregate viewing object, 
all preferences generated by all viewing objects subordinate to the aggregated 

30 object are similarly weighted. Therefore, a new weighting of relevant preference 
elements is generated from the previous weighting. This process is bounded b y 
the degree of preference which is allowed to be expressed, thus all weightings 
fall into a bounded range. 

35 In a preferred embodiment of the invention, non-linear combinations may be 
used for weighting a preference item. For instance, using statistical models 
provided by the central site, the client may infer that a heavily weighted 
preference for three attributes in conjunction indicates that a fourth attribute should 
be heavily weighted as well. 
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5 



The list of preferred programs is generated as follows: 



1 . A table 504 is constructed which lists each possible program object attribute, 
and any preference objects for that attribute that are present are listed in that 
1 o entry. 

2 If the preference item is a string, such as an actor name, a 32-bit digital 

signature Tor that string is calculated using a 32-bit CRC algorithm and stored 
with the table item, rather than the string itself. This allows for much faster 
scanning of the table as string comparisons are avoided, at the slight risk of 
1 5 two different strings generating the same digital signature. 

3. For each program object in the database, and for each attribute of that 
program, the attribute is looked up iathe table. If present, the list of 
preference objects for that attribute is examined for a match with the attribute 
of the current program object. If a match occurs, the weight associated with that 

20 preference object is added to weighting associated with the program object 
to generate a single weight for the program. 

4. Finally, the program objects are rank-ordered based on the overall weighting 
for each program, resulting in a list of most-preferred to least-preferred 
programs. 

25 

Given this final prioritized list, a recording schedule is generated using the 
methods described below, resulting in a collection of recorded programs of most 
interest to the viewer. 

30 Methods applipH tn schedul ing recording versus available storage space 



As has been described previously, recorded programs will in general have an 
expiration date, after which the recorded program is removed from client storage. 
The viewer may at any time indicate that a program should be saved longer, 
35 which delays expiration by a viewer-selected interval. The invention views the 
available storage for recording programs as a "cache"; unviewed programs are 
removed after a time, based on the assumption they will not be watched if not 
watched soon after recording. Viewed programs become immediate candidates 
for deletion, on the assumption they are no longer: interesting. 
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With proper scheduling of recording and deletion of old programs, I is possible 

flushing of old programs and addition of new programs. Addtoonally, ^sourc 
1^—, recordings may be scheduled of programs ba»d^ 
preferences of the viewer; these are called fuzzy" reoording.. Th. .n . 

in its place or the viewer explicitly deletes it. 

Additionally, the viewer may select a program for recording a. any time, and the 
window may confltt w» c*er scheduled record^ >. o, there ma y « 
be sufficient space obtainable when the program must be recorded, 
ll^ndudes unigue and novel methods of resolving such confl^ts. 

, Conflic* can arise for two reasons: lacK o, storage space or£ io, input sourc^ 
The tension viewing system described herein includes a «^ <* P 

sou.es for recording video and a storage medium su* 
„e capacfly for storing the --"J^t ~ — , 
broadcast over any significant penod of time is nor P ^ 

5 resolving me conflicts M arise because of resource Hmflations ,s the key 
having the correct programs available for viewing. 

■ ,„ cm b the invention maintains two schedules, the Space 
Refemng again to Fig 6, the invento ^ ^ ^ 

Schedule 601 and the Input Schedule 602 The bpa 
0 current recorded programs and those wn* have be s ^d 

recorded h the f*ure. The amount of ^ "T*^^,,, space that 
, im e may be found by generating the sum o -™^c ap lo^ availed 

S5 ^rncr^^ec^mnotcountedinflhis ca,cu,a,ion ; such programs 
automatically lose all conflict decisions. 

a a «<y* if at all times between when the recording 

A program may be recorded 603 if at a « to hold ft . In 
would be initiated and when ft exp.res, sufficient space , . ^ . 
addition, for the duration of the program, there must be an -nput 
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5 which to record it. The Input Schedule 602 tracks the free and occup.ed time slots 
for each input source. In a preferred embodiment of the invention, the input 
sources may not be used for identical services, e.g., one input may be from a 
digital television signal and another from an analog television signal with different 
programming. In this case, only those inputs from which the desired program can 
1 0 be recorded are considered during scheduling. 

With respect to Fig 7, a flowchart is shown describing the steps taken to schedule 
a recording in the preferred embodiment. First,: an ordered list of showings of the 
program of interest are generated 701 . Although a preferred embod.ment of the 
15 invention orders these showings by time, such that the recording is made as 
soon as possible, any particular ordering, might be chosen. Each showing .n this 
list 702 is then checked to see if input 703 or space 704 conflicts occur as 
described above. If a showing is found with no conflicts, then the program is 
scheduled for recording 705. 



20 



25 



Otherwise, a preferred embodiment of the invention selects only those showings 
of the program which have no input conflicts 706. Referring again to Fig. 6, one 
can see that over the lifetime of a recording the amount of available space will 
vary as other programs are recorded or expire. The list of showings is then 
sorted, preferably by the minimum amount of available space during the lifet.me 
of the candidate recording. Other orderings may be chosen. 

Referring again to Fig. 7, for each candidate showing, the viewer is presented 
with the option of shortening the expiration dates on conflicting programs 708, 
709. This ordering results in the viewer being presented these choices in order 
from least impact on scheduled programs to greatest 707; there is no 
requirement of the invention that this ordering be used versus any other. 

Should the viewer reject all opportunities to shorten expiration times, the final 
35 step involves selecting those showings with input conflicts 71 0, and sorting these 
showings as in the first conflict resolution phase 711. The viewer is then 
presented with the option to cancel each previously scheduled recording in favor 
of the desired program 712, 713. Of course, the viewer may ultimately decide 
that nothing new will be recorded 714. 

40 
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pct/usomw"' 

wo oo/58»3 , , A invention ail conflicts are resolved as early as 

,„ . preferred embodimen. of "^"^ ^ „ recorded. When the 
possible, giving »• viewer >»-^ , > 0 t0 record. the algor*m 

viewer mefce . m exp« me recortJng and manage 

described in Fig. 7 is usea iu 



any conflicts that arise 
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^ Q nH the viewer informed that the 
Once „ exp.« selection has bee" ^loO, expl« approve, o, - 
recording will be done, t w.ll not be oance 
viewer. 

Fuzzy record^ ere ^^^^^ 
device. Given the pnonttzed st of preferre PJ program „ « untt 

background scheduler attempts to «*•**" J^, te available. A preferred 
.nelistis exhausted or no ^"""^T-** «» 



recorded at that time 
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A fudher common adses when ^^SS^ 
recording is requested. ^ number o, «** might b e 

aoove for so* obieots. a potency M»g g ^ ^ viewer n 

generated, leading to a ^ are chosen for recordrng, 

resolving the «•* Thus, when a grega I 
conflicts are automatically resolved m favor 

-rt- res ulting from the recording 
, n a preferred embodimen, o, ^Z^^ <* ? 

of aggregate obiects will be resolved 1 us»3g P |ar pro g ra m . the 

progfams involved; . mu«ple £~ preference exceeds « of - 
aggregate object, it will only be reco 



conflicting programs. 
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The client system requires a complex software environment for proper 
operation. An operating system manages the interaction between hardware 
devices in the client and software applications which manipulate those devices. 
The television viewing object database is managed by a distinct software 
application. The time-warping software application is yet another application. 



It is desirable to add new features or correct defects in these and other software 
subsystems which run on the client hardware device. Using the methods 
described herein, it is possible to replicate viewing objects containing updated 
software modules into the client system database. Once present in the client 
1 5 system database, the following unique and novel methods are used to install the 
updated software and cause the client system to begin executing the new 
software. 

The software environment of the device is instantiated as a sequence of steps 
20 that occur when power is first applied to the device, each step building up state 
information which supports proper application of the following step. The last step 
launches the applications which manage the device and interact with the viewer. 
These steps are: 



25 1 . A read-only or electrically programmable memory in the device holds an initial 
bootstrap sequence of instructions. These instructions initialize low-level 
parameters of the client device, initialize the disk storage system, and load a 
bootstrap loader from the disk into memory, to which execution is then 
passed. This initial bootstrap may be changed if it resides in an electrically 

30 programmable memory. 

2. The second stage boot loader then locates the operating system on the disk 
drive, loads the operating system into memory, and passes execution to the 
operating system. This loader must exist at a specific location on the disk so 
as to be easily located by the initial loader. 

35 

The operating system performs necessary hardware and software initialization. It 
then loads the viewing object database software from the disk drive, and begins 
execution of the application. Other application software, such as the time-warping 
software and viewer interaction software, are also loaded and started. This 
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software is usually located in a separate area on the disk irom 

database or captured television programs. 

Ideally new software would be installed by simply copying it to the appropriate 
Ltce on the disk drive and rebooting me device. This operation . fraught w*h 
dler especially h a home environment. Power may fail v*,le copymg the 
2^ h - inconsistent software image and potentia, operating 
XZZ 1 software may have defects which prevent proper operahon. 
A failure may occur on the disk drrve, corrupting the software ,mage. 

Aithough the methods of this invention have referred to a disk drive one s«ed h 
me ad will readihy appreciate mat the methods described here apply generally to 
Z £Z* Z* system. A d*k drive, and other -«£ 
sy terns, are typically formatted into a sequence of ftxed-s.ze 
sectors.-Partrtions" are sequential, non-overlap P ,ng subsets of tm sequence 
which break up the storage into logically independent areas. 

With respect to Fig. 8, the invention maintains a sector of information at a fixed 

contains sufficient information for the initial bootstrap 801 to 
; Zoning of the drive 803, and to locate the second stage boo, loader 806. 

The dtek is partitioned into a. leas, seven (7) partitions. There (2) sms* 

partitions dieted to holding a copy o, the second stage boo, loader «ft tw 

me boo, sector 805 h rt*h one of the parties is marked pnmatf , and me 



35 



second is marked "backup". 



One skilled h the art wil, readily appreciate « *oug P 
described herein for redundancy, triple, quadruple or greater deg 
redundancy can be achieved by creating more dupt.ca.ed partmons. 
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5 ^rSspect to Figs. 9a and 9b, on boot 901, the initial bootstrap code reads 
the boot sector 902, scans the partition table and locates the "primary" partition 
for the second stage boot loader. It then attempts to load this program into 
memory 903. If it fails 904, for instance, due to a failure of the disk drive, the boot 
loader attempts to load the program in the "backup" partition into memory 905. 
10 Whichever attempt succeeds, the boot loader then passes control to the newly 
loaded program, along with an indication of which partition the program was 
loaded from 906. 

Similarly, the second stage boot loader reads the partition table and locates the 
1 5 "primary" operating system kernel 907, If the kernel can not be loaded 908, the 
"backup" kernel is loaded instead 909. in any case, control is passed to the 
operating system along with an indication of the source partition, along with the 
passed source partition from above 910. 

20 Finally, the operating system locates the '.'primary" partition containing application 
software and attempts to load the initial application 911. If this fails 912, then the 
operating system locates the "backup" partition and loads the initial application 
from it 91 3. An indication of the source partition is passed to the initial application, 
along with the source partition information from the previous steps. At this point, 

25 application software takes over the client system and normal viewing 
management behavior begins 914. 

This sequence of operations provides a reasonable level of protection from disk 
access errors. It also allows for a method which enables new software at any of 
30 these levels to be installed and reliably brought into operation. 

An "installer" viewing object in the object database is used to record the status of 
software installation attempts. It records the state of the partitions for each of the 
three levels above, including an indication that an attempt to install new software 
35 is underway 915. This operation is reliable due to the transactional nature of the 
database. 

Referring to Fig. 10, installing a new software image at any of the three levels is 
handled as follows: the new software image is first copied into the appropriate 
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^onlsundo^yiooajhepnma-y ^ ^ reb00ted ,004. 
Eventually, control will be passed r 

nrocess 91 o, . . t i eve was succew»u'. 

• qir If so the instaHation at that »ev« otherwise, the 

5 f^nooples^^P^'T Z « ^20. Copying the pa*>n 

5 Sca.es «re ,»e refora.veliskeptavaila* - 
insures that a backup copy of known g 



all times. 
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of the installation for the 

ln B preferred embodiment of the „ parts o. the application 

Orient have been "-^^ ^ application environment are 
working properly beTore w 

. . t ^ ^ujcn information about 

i^r«s=~-- — — — 

site is established. 

■ „ »,„rs are recorded tor later coHeoticn along 
^Mowing operations status . creators are r 



with a time stamp: 
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1. 



other contextual information, such 
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processing of this object at the central site results in a complete trace of 
viewer actions, including the context in which each action is taken. 



2. Automatic actions, such as beginning or ending the recording of a program, or 
choosing a program to record based on viewer preferences, are recorded. In 
1 o addition, deletion of captured programs is recorded. Post-processing of this 
object at the central site results in a complete trace of program capture actions 
taken by the client system, including the programs residing in the persistent 
store at any point in time. • < ' . 

1 5 3. Software installation actions, including reception, installation, and post-reboot 
results are recorded. 

4. Hardware exceptions of various kinds, including but not limited to: power 
fail/restart, internal temperature profile of the device, persistent storage access 
20 errors, memory parity errors and primary partition failures. 

Since all actions are recorded along with a time stamp, it is possible to reconstruct 
the behavior of the client system using a linear time-based ordering. This allows 
manual or automatic methods to operate on the ordered list of events to correlate 
25 actions and behaviors. For instance, if an expected automatic action does not 
occur soon after rebooting with new software, it may be inferred that the new 
software was defective. 

Pressin g of Television Viewing Objects bv Central S ite Systems 

30 

Sources of Television Vi ewing Objects 

A client system has a single source of television viewing objects: the central site. 
The central site object database has many sources of television viewing objects: 

35 

1 . Program guide information obtained from outside sources is processed to 
produce a consistent set of program guide objects, indicating "programs", 
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W ° Swings", , — » and Cher related «*^* °* 

atomic operation. 

' , New—no,— ^ 

nave """"f^^ZZ^uJ**^ <**>• «*""» 
toaded library, whtch must be reflected n tne ^ 

syste ms in use, each * ^ indicatlng the .ype of system 

to the database as an atomic operat.on. 

Key matching this sec.. Key ,s loaded ■» a *n ^ ^ 
25 authentication objects as necessary. 

case, however, the aggregate °^ m ^ P d ,„ „. aggregatio n 
objects already present ,n the database. Also an i00 

the aggregation is available, it is aaoeu 



operation. 



35 5. Data collected from client systems. 
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5 Operations on Television Viewin g Objects 

There are a large number of possible operations on the central television viewing 
object database. The following examples are meant to show the type of 
processing that may be performed, however the potential operations are not 
1 0 limited to these examples: 

1 . Using various viewing objects, a number of interesting statistical analysis tasks 
may be performed: 

1 .1 . By examining large numbers of uploaded operations status objects, it is 
1 5 possible to perform extensive analysis of hardware reliability trends and 

failure modes. For instance, it is possible to correlate internal temperature 
with expected MTBF (Mean Time Between Failures) of client devices. 

1 .2. By examining large numbers of uploaded viewing information, it is 
possible to derive demographic or psychographic information about 

20 various populations of client devices: For example, it is possible to 

correlate TV programs most watched within specific zip codes in which 
the client devices reside. 

1 .3. Similarly, by examining large numbers of viewing information objects, it is 
possible to generate "rating" and "share" values for particular programs 

25 with fully automated methods, unlike existing program rating methods. 

1 .4. There are many other examples of statistical analysis tasks that might be 
performed on the viewing object database; these examples are not 
meant to limit the applicability of the invention, but to illustrate by 
example the spectrum of operations that might be performed. 

30 2. Specialty aggregation objects may be automatically generated based on 
one or more attributes of all available viewing objects. 

Such generation is typically performed by first extracting information of 
interest from each viewing object, such as program description, actor, director, 
35 etc., and constructing a simple table of programs and attributes. An aggregate 
viewing object is then generated by choosing one or more attributes, and 
adding to the aggregate those programs for which the chosen attributes match 
in some way. 

40 These objects are then included in the slices generated for transmission, 
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possibly based on geographic or other information. Some example 
aggregates that might be created are: 



2. 1 . Aggregates based on events, such as a major league football game in a 
large city. In this case, all programs viewable by client devices in or 
1 0 around that city are collected, and the program description searched for 

the names of the teams playing, coaches names, major player's names, 
the name of the ballpark, etc. Matching program objects are added to the 
aggregate, which is then sliced for transmission only to client devices in 
regions in and around the city. 

1 5 2.2. Aggregates based on persons of common interest to a large number of 
viewers. For instance, an aggregate might be constructed of all "John 
Wayne" movies to be broadcast in the next week. 

2.3. Aggregates based on viewing behavior can be produced. In this case, 
uploaded viewing objects are scanned for elements of common interest, 

20 such as types of programs viewed, actual programs viewed, etc. For 

example, a 'lop ten list" aggregate of programs viewed on all client 
devices in the last week might be generated containing the following 
week's showing of those programs. 

2.4. Aggregates based on explicit selections by viewers. During viewing of a 
25 program, the viewer might be presented with an opportunity to "vote" on 

the current program, perhaps on the basis of four perceived attributes 
(storyline, acting, directing, cinematography), which generates viewing 
objects that are uploaded later. These votes are then scanned to 
determine an overall rating of the program, which is transmitted to those 
30 who voted for their perusal. 

2.5. There are many other examples of how the basic facilities of this 
invention allow the service operator to provide pre-sorted and pre- 
selected groups of related programs to the user of the client device for 
perusal and selection. These examples are not meant to limit the 

35 applicability of the invention, but to illustrate by example the spectrum of 

operations that might be performed. 

3. Manual methods may also be used to generate aggregate objects, a 
process sometimes called "authoring". In this case, the person creating the 



40 



PCT/US00/06079 

WO 00/58833 

aggregate chooses programs for explicit addition to the aggregate. It is then 
transmitted in the same manner as above. 



Clearly, aggregation program objects may also permit the expression of 
preferences or recording of other information. These results may be uploaded to 
the central site to form a basis for the next round of aggregate generation or 
statistical analysis, and so on. 

This feedback loop closes the circuit between service provider and the universe 
of viewers using the client device. This unique and novel approach provides a 
new form of television viewing by providing unique and compelling ways for the 
service provider to present and promote the viewing of television programs of 
interest to individuals while maintaining reliable and consistent operation of the 
service. 

Although the invention is described herein with reference to the preferred 
embodiment, one skilled in the art will readily appreciate that other applications 
may be substituted for those set forth herein without departing from the sp.nt and 
scope of the present invention. Accordingly, the invention should only be 
limited by the Claims included below. 
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5 CLAIMS 

5S-.s:".trrr— «— — — 

15 clients within a specific domain; 

transmitting slices to client devices; and 

receiving uploaded database objects from chen. dev,ces. 

, The pr0 cess ot d .m 



3. 

25 said slice to client devices 
4 



4 . The process of -» 3 — ^^T-^^ 
— ^S^^beob^ wW ns,dsfice. 

30 5 ^processotc^l, — ,be data deling a siice is — ed 
continually until a new sfice is provided tor ,ransm,ss,c<, 

, wherein said transmission is through 

6 . The process o, *m modems, n*»** or 
35 communication mediums such as broadcast m 

the Internet. 

7 . ^ process o, Cm ,. ^^^^^ 
database and a client device is estabUshed. ^ ^ ^ 

40 o, previously received sl.es « j- ^ „ „, sfces „ shou ,d 
transmission server compares sari inventory 
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5 have been processed by said client and slices which were not processed are 
transmitted to said client device. 

8. The process of claim 1, wherein a slice is transmitted by breaking the 
encrypted slice into a succession of short, numbered data packets. 

10 

9. The process of claim 8, wherein said data packets are captured by client 
devices and held in a staging area until all packets in the sequence are present 
and wherein said packets are reassembled into the correct slice, which is then 
decrypted. 

10. The process of claim 9, wherein the database objects within the slice are 
filtered for applicability, possibly being added to the local database. 

11. The process of claim 9, wherein data packets which are older than a 
20 selected time period are purged from the sfaging. area on a periodic basis. 

12. The process of claim 9, wherein a data packet is discarded when an error 
is detected in said data packet. 

25 13. The process of claim 1 , wherein a slice may communicate service related 
data to a client device. 

14. The process of claim 1 , wherein a slice may contain an authorization object 
indicating the allowable time delay before another authorization object is 

30 received, as well as one or more symmetric keys used to decrypt new slices and 
are valid for a short time period. 

15. The process of claim 14, wherein if the client has not received a proper 
authentication object by the delay time set in said client's local database, said 

35 client will commence denial of select services to the viewer. 

16. The process of claim 1, wherein database updates are treated as 
transactions such that an entire transaction is completed or none of the transaction 
is completed. 



40 



17, The process of claim 1. wherein every object in said database has a 
version attribute. 
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object from which the object was replicated. 

19 . w«h me source 

comparing the source version of the received o j 

the object is no longer valid and should be discarded. 

. of clam 20 wherein when a new object is received, the 

22 . ^ process B *1. wherein a «. object * ^ 

25 of values for attributes that make it aoceptaoie 

■_■ our nhioct mav contain executable 

23 . The process of claim 22, where.n sa.d f,lter object may 

code. 

24 . . e process - 
new object which lists the object IDs and 
object is dependent on. 

25 The process of Cairn 1 

^e^^^^^^^S^ otherwise the new object is 
„ so, the new object is added to ^^^^^^ 
"staged", saving it in a holding area until all dependen 
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2 , * s da,abase lo 

allowing an application to perform p 
dynamically discover w*a. object types are supported 

The process of claim 1 , further comprising the step of. 
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5 assigning each object in said database an object ID; and 

wherein said object ID is unique within said database. 

28. The process of claim 1. wherein each object in said database has a 
reference count and wherein an object with a reference count of zero will not 

1 0 persist in said database. 

29. The- process of , claim 28, . wherein the reference count of an object is 
incremented by-one for each object that refers to it. 
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1 5 30. The process of claim 28, wherein if an object which refers to other objects 
is deleted, then the reference count on all objects referred by it is decremented. 

31. The process of claim 27, wherein a. directory object maintains a list of 
object IDs that refer to an object and an associated simple name for said object. 

32. The process of claim 31 , wherein an object may be referred to by 
multiple paths such that one object may have many names. 

33. The process of claim 1 , wherein a derived attribute is maintained for each 
25 object listing the directory objects which refer to that object. 

34. The process of claim 1, wherein an indexer object is defined for each 
object type and indicates what attributes are to be used when indexing each 
object type into the database namespace; and wherein said indexer object may 

30 contain executable code. 

35. The process of claim 1 , further comprising the step of: 
providing a reaper; and 

wherein said reaper periodically examines all objects in the database and, 
35 depending on the object type, further examines various attributes and attribute 
values to decide if the object should be retained in the database. 

36. The process of claim 35, wherein said reaper accesses a reaper object 
containing executable code and associated with the object type of the current 

40 object. 

37. The process of claim 1, wherein client devices periodically contact said 
server. 



45 




WO 00/58833 



PCT/US00/06079 



5 



38. The process of claim 1 , wherein the client device sends a byte sequence 
identifying itself which is encrypted with its secret key. 

39. The process of daim 38, wherein said server fetches the matching 
1 0 database object for the client device from the central database and uses the key 

stored in said object to decrypt the byte sequence. 

40. The process of claim 38, wherein said server sends a byte sequence to 
said client, encrypted in its secret key, giving said client a new one-time 

1 5 encryption key for the session. 

41. The process of claim 40, wherein both sides must successfully decrypt 
their authentication message in order to communicate. 

20 42. The process of claim 40, wherein all further communication is encrypted 
using the one-time session encryption key. 

43. The process of claim 1 , wherein viewing and operations data residing on 
said client are uploaded to said central database. 

25 

44. The process of claim 1, wherein an uploaded object is assigned a 
navigable attribute containing information about its source and is indexed uniquely 
into the database namespace when it is added. 

30 45. The process of claim 1, wherein uploaded objects are not immediately 
added to the central database but are queued for later insertion into the central 
database. 

46. The process of claim 1 , further comprising the step of: 
35 invoking periodic tasks on the server to cull uploaded objects from the 

database and to forward or dispose of them as appropriate which may result h 
new objects being added to the central database or existing objects being 
updated; and 

wherein the new or updated objects are transmitted to client devices. 



47. The process of claim 1 , further comprising the step of: 

providing aggregation objects that describe a set of database objects that 
are interrelated in some fashion. 
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48. The process of claim 1 , further comprising the step of: 

creating preference objects based on direct and indirect preferences; 

wherein said preference objects are weighted; and 

wherein non-linear combinations may be used for weighting a preference 

10 object. 

49. The process of claim 48, further comprising the step of: 
generating a list of preferred programs using said preference objects. 

1 5 50. The process of claim 49, further comprising the step of: 

creating a recording schedule using said preferred list; and 
wherein said schedule lists a collection of recorded programs of most 
interest to the viewer. 

20 51. The process of claim 1, wherein client devices record operations status 
objects that include, but are not limited to, viewer actions, transactional information, 
automatic actions, software installation actions, and hardware exceptions of 
various kinds. 

25 52. The process of claim 1 , further comprising the step of: 

performing extensive analysis of hardware reliability trends and failure 
modes by examining uploaded operations status objects from client devices. 

53. The process of claim 1 , further comprising the step of: 

30 deriving demographic or psychographic information about various 

populations of client devices by examining uploaded viewing information from 
said client devices. 

54. The process of claim 1 , further comprising the step of: 

35 generating "rating" and "share" values for particular programs by 

examining uploaded viewing information objects from client devices. 

55. An apparatus for a self-maintaining distributed database system that 
ensures that a consistent subset of a central database is replicated in any number 

40 of client devices in a computer environment, comprising: 
a central database resident on a server; 
wherein said database contains database objects; 
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5 WO0 °Tmodu,e for gathering objects .o be replicated into distribution packages 

a snce is a subset o. said central database ^ich b relevant to 

clients within a specific domain; 

a module for transmitting slices to client devices; and 
10 a module for receiving uploaded database objects from client dev,ces. 

56 The apparatus of daim 55, wherein the speed and periodicity of 
'Lrafi.g safd centra, database and generating slices for • 
adjustable in an arbitrary feshion to allow useful costVperformance tradeoffs to be 

1 5 made. 

57 The apparatus of claim 55, further comprising; 

' a module for encrypting a slice usfitg a short-lived symmetnc key before 
transmitting said slice to client devices. 

20 58 The apparatus of claim 57, wherein only Ant devices whk* have beer, 
aumenticated using secure protocols wifi have a copy of said symme „c key, 
enabling them to deaypt said slice and access the objects within sa,d slice. 

25 5 9 The apparatus of daim 55, wherein the data describing a slfee is 
transmitted continual* until a new slice is provided for transmiss,on. 

60 The apparatus of daim 55, wherein said transmission is through 
Imu— mediums su* as broadcast mechanisms, modems, 0—, or 

30 the Internet. 

61 The apparatus of daim 55, wherein when a connection between said 
L^tabTe and a dien, device is established, the 
inventory of previously received slices to a transmission server; and whe e,n i sa d 
r S 2ion P sen,er compares said invent wKhthe 

have been processed by said client and slices v** were not processed are 
transmitted to said client device. 

62 The apparatus of daim 55, wherein a slice is transmitted by breaking the 
40 encrypted slice into a succession of short, numbered data packets. 

63 The apparatus of daim 62, wherein said data packets are captured b y 
63. me appdidiuo nackets in the sequence are 
client devices and held in a staging area until all packets n in m 
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5 present and wherein said packets are reassembled into the correct slice, which is 
then decrypted. 

64. The apparatus of claim 63, wherein the database objects within the slice 
are filtered for applicability, possibly being added to the local database. 

10 ^ 

65. The apparatus of claim 63, wherein data packets which are older than a 

selected time period are purged from the staging area on a periodic basis. 

• i" ■ 4 > 

66. The apparatus of claim 63, wherein a data packet is discarded when an 
15 error is detected in said data packet. 

67. The apparatus of claim, 55, wherein. a slice may communicate service 
related data to a client device. . 

20 68. The apparatus of claim 55, wherein a slice may contain an authorization 
object indicating the allowable time delay, before another authorization object is 
received, as well as one or more symmetric Keys used to decrypt new slices and 
are valid for a short time period. 

25 69 The apparatus of claim 68, wherein if the client has not received a proper 
authentication object by the delay time set in said client's local database, said 
client will commence denial of select services to the viewer. 

70 The apparatus of claim 55, wherein database updates are treated as 
30 transactions such that an entire transaction is completed or none of the transaction 
is completed. 

71 . The apparatus of claim 55, wherein every object in said database has a 
version attribute. 

35 . 

72 The apparatus of claim 55, wherein the schema for each object that may 

be replicated includes a source version attribute that indicates the version of the 

object from which the object was replicated. 

40 73. The apparatus of claim 72, further comprising: 

a module for comparing the source version of the received object with the 
source version of the current object when an object is received; and 
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5 wherein if said received object has a higher source version attribute than 

said current object, then said received object is copied over said existing current 
object, otherwise said received object is discarded. 

74. The apparatus of claim 55, wherein an object has an expiration attribute 
1 0 and wherein said expiration attribute comprises a date and time indication after 

which the object is no longer valid and should be discarded. 

75. The apparatus of claim 74, wherein when a new object is received, the 
expiration time is checked, and said new object is discarded if it has expired. 

76. The apparatus of claim 55, wherein a filter object is defined for each object 
type and indicates what attributes are required, should not be present, or ranges 
of values for attributes that make it acceptable for addition to the database. 

20 77. The apparatus of claim 76, wherein said filter object may contain 
executable code. 

78. The apparatus of claim 55, wherein a dependency attribute is defined for 
a new object which lists the object IDs and source versions of objects that said 

25 new object is dependent on. 

79. The apparatus of claim 55, wherein when a new object is received, the 
database is first checked to see if all dependencies of that object are present and 
if so, the new object is added to the database, otherwise the new object is 

30 "staged", saving it in a holding area until all dependent objects are also staged. 

80. The apparatus of claim 55, further comprising: 

a module for allowing an application to perform introspection on the 
database to dynamically discover what object types are supported and their 
35 schema. 

81. The apparatus of claim 55, further comprising: 

a module for assigning each object in said database an object ID; and 
wherein said object ID is unique within said database. 

40 

82. The apparatus of claim 55, wherein each object in said database has a 
reference count and wherein an object with a reference count of zero will not 
persist in said database. 
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83. The apparatus of claim 82, wherein the reference count of an object is 
incremented by one for each object that refers to it. 

84. The apparatus of claim 82, wherein if an object which refers to other 
10 objects is deleted, then the reference count on all objects referred by it is 

decremented. 

85. The apparatus of daim. 8 1„ wherein a , directory object maintains a list of 
object IDs that refer to an object and an associated simple name for said object. 

15 

86. The apparatus of claim 85, wherein an object may be referred to by 
multiple paths such that one object may have many.names. 

87. The apparatus of claim 55, wherein a derived attribute is maintained for 
20 each object listing the directory objects which refer to that object. 

88. The apparatus of claim 55, wherein an indexer object is defined for each 
object type and indicates what attributes are Jo be used when indexing each 
object type into the database namespace; and wherein said indexer object may 

25 contain executable code. 

89. The apparatus of claim 55, further comprising: 
a reaper; and 

wherein said reaper periodically examines all objects in the database and, 
30 depending on the object type, further examines various attributes and attribute 
values to decide if the object should be retained in the database. 

90. The apparatus of claim 89, wherein said reaper accesses a reaper object 
containing executable code and associated with the object type of the current 

35 object. 

91 . The apparatus of claim 55, wherein client devices periodically contact said 
server. 

40 92. The apparatus of claim 55, wherein the client device sends a byte 
sequence identifying itself which is encrypted with its secret key. 
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5 93. The apparatus of claim 92, wherein said server fetches the matching 
database object for the client device from the central database and uses the key 
stored in said object to decrypt the byte sequence. 

94. The apparatus of claim 92, wherein said server sends a byte sequence to 
10 said client, encrypted in its secret key, giving said client a new one-time 

encryption key for the session. 

95. The apparatus of claim 94, wherein both sides must successfully decrypt 
their authentication message in order to communicate. 

15 

96. The apparatus of claim 94, wherein all further communication is encrypted 
using the one-time session encryption key. 

97. The apparatus of claim 55, wherein viewing and operations data residing 
20 on said client are uploaded to said central database. 

98. The apparatus of claim 55, wherein an uploaded object is assigned a 
navigable attribute containing information about its source and is indexed uniquely 
into the database namespace when it is added. 

25 

99. The apparatus of claim 55, wherein uploaded objects are not immediately 
added to the central database but are queued for later insertion into the central 
database. 

30 100. The apparatus of claim 55, further comprising: 

a module for invoking periodic tasks on the server to cull uploaded objects 
from the database and to forward or dispose of them as appropriate which may 
result in new objects being added to the central database or existing objects 
being updated; and 

35 wherein the new or updated objects are transmitted to client devices. 

101. The apparatus of claim 55, further comprising: 

aggregation objects that describe a set of database objects that are 
interrelated in some fashion. 

40 

1 02 . The apparatus of claim 55, further comprising: 

a module for creating preference objects based on direct and indirect 
preferences; 
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5 wherein said preference objects are weighted; and 

wherein non-linear combinations may be used for weighting a preference 

object. 

1 03. The apparatus of claim 1 02, further comprising: 

10 a module for generating a list of preferred programs using said preference 

objects. 

104. The apparatus of claim .,103, further comprising: 

a module for creating a recording schedule using said preferred list; and 
15 wherein said schedule lists a collection of recorded programs of most 

interest to the viewer. 

105. The apparatus of claim 55, wherein client devices record operations status 
objects that include, but are not limited to, viewer actions, transactional information, 

20 automatic actions, software installation actions, and hardware exceptions of 
various kinds. 

106. The apparatus of claim 55, further comprising: 

a module for performing extensive analysis of hardware reliability trends 
25 and failure modes by examining uploaded operations status objects from client 
devices. 

1 07. The apparatus of claim 55, further comprising: 

a module for deriving demographic or psychographic information about 
30 various populations of client devices by examining uploaded viewing information 
from said client devices. 



1 08. The apparatus of claim 55, further comprising: 

a module for generating "rating" and "share" values for particular programs 
35 by examining uploaded viewing information objects from client devices. 

109. A program storage medium readable by a computer, tangibly 
embodying a program of instructions executable by the computer to perform 
method steps for a self-maintaining distributed database system that ensures 

40 that a consistent subset of a central database is replicated in any number of client 
devices in a computer environment, comprising the steps of: 
providing a central database resident on a server; 
wherein said database contains database objects; 
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wo 00/58833 distribution packages called "slices"; 

clients within a specific domain; 

said slice to client devices. 

enabling them to decrypt said slice and access xne j 

continually until a new slice is provided for transmission. 
25 , , ■ ,na wherein said transmission is through 

ll^TSj: raslldctst — s, modems, n— or 



the Internet. 



35 transmitted to said client device. 

Incypted slice into a succession o, short, numbered data packets. 

40 117 . — --^rrjs^s^s 

decrypted. 
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118. The method of claim 117, wherein the database objects within the slice 
are filtered for applicability, possibly being added to the local database. 



119. The method of claim 117, wherein data packets which are older than a 
1 o selected time period are purged from the staging area on a periodic basis. 

120. The method of claim 1 1 7, wherein a data packet is discarded when an 
error is detected in said data packet. > 1 

15 121. The method of claim 109, wherein a slice may communicate service 
related data to a client device. 

122. The method of claim 109, wherein a slice may contain an authorization 
object indicating the allowable time delay before another authorization object is 

20 received, as well as one or more symmetric keys used to decrypt new slices and 
are valid for a short time period. .•»■.; t.y'.:--. r:.- ■. :-.|>r . . 

123. The method of claim 122, wherein if the , client has not received a proper 
authentication object by the delay time set in said client's local database, said 

25 client will commence denial of select services to the viewer. 

124. The method of claim 109, wherein database updates are treated as 
transactions such that an entire transaction is completed or none of the transaction 
is completed. 



125. The method of claim 109, wherein every object in said database has a 
version attribute. 



1 26. The method of claim 1 09, wherein the schema for each object that may b e 
35 replicated includes a source version attribute that indicates the version of the 

object from which the object was replicated. 

1 27. The method of claim 1 26, further comprising the step of: 

comparing the source version of the received object with the source 
40 version of the current object when an object is received; and 

wherein if said received object has a higher source version attribute than 
said current object, then said received object is copied over said existing current 
object, otherwise said received object is discarded. 
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128. The method of claim 109, wherein an object has an expiration attribute 
and wherein said expiration attribute comprises a date and time indication after 
which the object is no longer valid and should be discarded. 

10 129. The method of claim 128, wherein when a new object is received, the 
expiration time is checked, and said new object is discarded if it has expired. 

1 30. The method of claim 1 09, wherein a filter object is defined for each object 
type and indicates what attributes are required, should not be present, or ranges 

15 of values for attributes that make it acceptable for addition to the database. 

131. The method of claim 130, wherein said filter object may contain 
executable code. 

20 132. The method of claim 109, wherein a dependency attribute is defined for a 
new object which lists the object IDs and source versions of objects that said new 
object is dependent on. 

133. The method of claim 109, wherein when a new object is received, the 
25 database is first checked to see if all dependencies of that object are present and 

if so, the new object is added to the database, otherwise the new object is 
"staged", saving it in a holding area until all dependent objects are also staged. 

134. The method of claim 1 09, further comprising the step of: 

30 allowing an application to perform introspection on the database to 

dynamically discover what object types are supported and their schema. 

1 35 . The method of claim 1 09, further comprising the step of: 
assigning each object in said database an object ID; and 

35 wherein said object ID is unique within said database. 

136. The method of claim 109, wherein each object in said database has a 
reference count and wherein an object with a reference count of zero will not 
persist in said database. 

40 

137. The method of claim 136, wherein the reference count of an object is 
incremented by one for each object that refers to it. 
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1 38. The method of claim 1 36, wherein if an object which refers to other objects 
is deleted, then the reference count on all objects referred by it is decremented. 

139. The method of claim 135, wherein a directory object maintains a list of 
object IDs that refer to an object and an associated simple name for said object. 

140. The method of claim 139, wherein an object may be referred to by 
multiple paths such that one object may have many names. 

141. The method of claim 109, wherein a derived attribute is maintained for 
1 5 each object listing the directory objects which refer to that object. 

142. The method of claim 109, wherein an indexer object is defined for each 
object type and indicates what attributes are to be used when indexing each 
object type into the database namespace; and wherein said indexer object may 

20 contain executable code. 

1 43. The method of claim 1 09, further comprising the step of: 
providing a reaper; and 

wherein said reaper periodically examines all objects in the database and, 
25 depending on the object type, further examines various attributes and attribute 
values to decide if the object should be retained in the database. 

144. The method of claim 143, wherein said reaper accesses a reaper object 
containing executable code and associated with the object type of the current 

30 object. 

145. The method of claim 109, wherein client devices periodically contact said 
server. 

35 146. The method of claim 109, wherein the client device sends a byte 
sequence identifying itself which is encrypted with its secret key. 

147. The method of claim 146, wherein said server fetches the matching 
database object for the client device from the central database and uses the key 
40 stored in said object to decrypt the byte sequence. 
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1 48. The method of claim 146, wherein said server sends a byte sequence to 
said client, encrypted in its secret key, giving said client a new one-time 
encryption key for the session. 

149. The method of claim 148, wherein both sides must successfully decrypt 
their authentication message in order to communicate. 

150. The method of claim 148, wherein all further communication is encrypted 
using the one-time session encryption key. 

151. The method of claim 109, wherein viewing and operations data residing 
on said client are uploaded to said central database. 

152. The method of claim 109, wherein an uploaded object is assigned a 
navigable attribute containing information about its source and is indexed uniquely 
into the database namespace when it is added. 

153. The method of claim 109, wherein uploaded objects are not immediately 
added to the central database but are queued for later insertion into the central 
database. 

1 54. The method of claim 1 09, further comprising the step of: 

invoking periodic tasks on the server to cull uploaded objects from the 
database and to forward or dispose of them as appropriate which may result in 
new objects being added to the central database or existing objects being 
updated; and 

wherein the new or updated objects are transmitted to client devices. 

1 55. The method of claim 1 09, further comprising the step of: 

providing aggregation objects that describe a set of database objects that 
are interrelated in some fashion. 

1 56. The method of claim 1 09, further comprising the step of: 

creating preference objects based on direct and indirect preferences; 

wherein said preference objects are weighted; and 

wherein non-linear combinations may be used for weighting a preference 

object. 

1 57. The method of claim 1 56, further comprising the step of: 
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5 generating a list of preferred programs using said preference objects. 

1 58. The method of claim 1 57, further comprising the step of: 
creating a recording schedule using said preferred list; and 

wherein said schedule lists a collection of recorded programs of most 
1 0 interest to the viewer. 

159. The method of claim 109, wherein client devices record operations status 
objects that include, but are not limited to, viewer actions, transactional information, 
automatic actions, software installation actions, and hardware exceptions of 

15 various kinds. [ i ; : , 

1 60. The method of claim 1 09, further comprising the step of: 

performing extensive analysis of. hardware reliability trends and failure 
modes by examining uploaded operations.status objects from client devices. 



20 
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161. The method of claim 1 09, further comprising the step of: 

deriving demographic or psychographic information about various 
populations of client devices by examining; uploaded viewing information from 
said client devices. 

1 62. The method of claim 109, further comprising the step of: 

generating "rating" and "share" values for particular programs by 
examining uploaded viewing information objects from client devices. 
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